Site navigation

EasyJet Data Breach Exposes Millions of Customer Details

The company said nine million customers have been exposed in what it says was a “highly-sophisticated” cyberattack.

Budget airline EasyJet has revealed that private information belonging to nine million customers has been exposed in a major data breach.

The company confirmed today (19th May) that email addresses and travel details were accessed in the breach, and it is currently in the process of informing all affected customers.

Of the nine million customers affected in the cyberattack, EasyJet said the credit card details of more than 2,200 customers had also been “accessed” by unauthorised persons. The company insisted that no passport details have been exposed, however.

Customers whose credit card details were taken have been contacted, while everyone else affected will be contacted by 26th May.

In a statement, the company said: “We take issues of security extremely seriously and continue to invest to further enhance our security environment.

“There is no evidence that any personal information of any nature has been misused, however, on the recommendation of the Information Commissioner’s Office (ICO), we are communicating with the approximately nine million customers whose travel details were accessed to advise them of protective steps to minimise any risk of potential phishing.

“We are advising customers to be cautious of any communications purporting to come from EasyJet or EasyJet Holidays.”

The BBC revealed that the company knew of the attack back in January. It did not provide comment on how the breach occurred, but has closed off any access and reported the issues to the National Cyber Security Centre (NCSC) and the ICO.

EasyJet chief executive, Johan Lundgren, commented: “We take the cybersecurity of our systems very seriously and have robust security measures in place to protect our customers’ personal information. However, this is an evolving threat as cyber attackers get ever more sophisticated.

“Since we became aware of the incident, it has become clear that owing to Covid-19 there is heightened concern about personal data being used for online scams. As a result, and on the recommendation of the ICO, we are contacting those customers whose travel information was accessed and we are advising them to be extra vigilant, particularly if they receive unsolicited communications.”

He added: “Every business must continue to stay agile to stay ahead of the threat. We will continue to invest in protecting our customers, our systems, and our data. We would like to apologise to those customers who have been affected by this incident.”

This is one the largest attacks ever on a British company, but one in a string of several over the last few months – particularly since the outbreak of coronavirus. At a time when consumer tensions are high and airlines are struggling, this is a deeply damaging incident for EasyJet.

Rachel Aldighieri, managing director of the Data & Marketing Association (DMA), warned that data breaches such as these have a hugely negative impact on consumer trust in the long-term.

“Many organisations, especially airlines, have been hugely impacted by coronavirus and are trying to survive and remain operational. However, this challenging situation should not alter their priorities and data protection must remain one of them,” she said.

“This is now the second international airline in two years that has had a major breach, at a time when UK consumers already have heightened concerns around phishing attempts from scammers. Data sharing and consumer trust are both critical to the digital economy, so organisations must be aware of the long-term damage that repeated data breaches can have on consumers’ willingness to share information in the future,” Aldighieri added.

In 2019, the British Airways data breach exposed information belonging to more than half-a-million customers, prompting an investigation by the ICO and a huge £183 million fine; which EasyJet may also face.

Similar cyber attacks in recent months have revealed the data of millions, including a breach on Virgin Media’s systems and the phishing attack on Carnival Cruise lines allowing hackers access to staff accounts.

Hackers have been using the Covid-19 disruption as a platform to escalate phishing attacks on businesses, individuals and industry sectors, with healthcare and insurance both firmly in the crosshairs.

“Covid-19 is presenting not only a physical threat but a cyber threat as well,” said Lotem Finkelsteen, Check Point’s head of threat intelligence.

“All public sector entities and [telecommunications companies] everywhere should be extra wary of documents and websites themed around Coronavirus,” she added.